Twenty per cent of Tim Bell’s customers are UK-based entrepreneurs and companies, but he does not officially count them among his clients, yet. “We have a ‘no Brexit, no fee’ contract,” he says.
If – as it seems likely – the Brexit transition period comes to an end on January 1, 2021, those prospective customers will start using the services of Bell’s company; on the contrary, if by some accident of fate the transition is extended beyond New Year’s Day, they will stand by until the UK’s full-blown exit from the EU’s orbit. In Bell’s case, Brexit is going to be good for business.
Bell is the founder and managing director of DataRep, a Dublin-based firm offering data representation services, a kind of services that no UK company would have had to busy itself with had voters not decided to leave the European Union in the 2016 referendum on membership. Launched in 2017, DataRep has a presence in 29 out of 30 EU and EEA countries, and it acts as a stand-in for companies that process EU citizens’ personal data but have no office in the EU themselves. Bell’s company deals with data subject requests, liaises with European data protection authorities, and handles other clerical matters in its clients’ stead. The appointment of a data representative is required by Article 27 of GDPR, the EU’s data protection regulation that started to be enforced in May 2018, triggering compliance panic all across Europe.
GDPR anxiety has now almost faded from the British public’s memory, but the regulation’s consequences have not: as soon as the UK leaves the bloc in earnest, it will be treated as a non-EU country, and Article 27 will start applying to all British companies meeting the criteria. Who are they? Not corporate giants, which are likely to have an office somewhere in the EU already, and not family-run bakeries, but rather a galaxy of mid-sized internet-based companies catering to EU customers. Bell cites software-as-a-service startups, e-commerce businesses, and organisations that conduct clinical trials as DataRep’s typical clients.
He expects many others to follow, as awareness about Article 27 grows. The same goes for European businesses that interact with British customers: post-Brexit they will have to open an office in the UK, or hire a local data representative; some African, American, or Asian companies doing business in both the EU and the UK will end up with the grand total of two data representatives.
The big question for many UK business owners will be whether they need a data representative at all. “Come January 1, if you're a company offering goods and services to EU citizens – or if you have cookies on your website monitoring EU people for targeted advertising – you’ll need to have a representative in the EU,” says Jon Baines, a senior data protection specialist at law firm Mishcon de Reya. “Now, there are exemptions. Article 27's wording says that this should not apply to processing that is occasional, is not at a large scale, and is unlikely to result in risk. But no one knows what ‘occasional’ means.”
Deciding whether to hire a local representative might become a gamble. Prices are relatively low: companies such as DataRep charge fees that range from €150 (£130) to a maximum of €5,000-€6,000 (£4,500-5,400) a year, depending on the amount of personal data a company processes, and the related level of risk. On the other hand, bizarrely enough, it is not clear what would happen to companies flouting Article 27. While the maximum penalty is €10 million or two percent of a company's global turnover, Baines says this does not seem to be an area where enforcement is frequent.
“One question is whether anything is going to happen to you if you don't appoint a representative," Baines says. "Strictly, it’s a breach of GDPR, but I am not sure what is the result if you don't have a representative. I am not sure what the enforcement is.”
Precedents are scant. The most high-profile case concerning a company that processed huge amounts of EU personal data without having appointed a local representative is a 2014 decision by the Dutch data protection authority against messaging service WhatsApp, which was fined €10.000 for each day of non-compliance. But that decision was pre-GDPR, and targeted a US technology company; it is hard to tell whether a British medium business should brace for similar pushback. “Small to medium size businesses are unlikely to receive a [two] per cent-of-turnover fine in relation to the Article 27 obligation,” says Jonathan Kewley, co-head of law firm Clifford Chance's technology team. Kewley thinks that Article 27 should be seen more as an instance of the growing stack of additional business costs which Brexit – alongside the Covid-19 pandemic – will saddle British companies with.
For another example, just look at data adequacy. Regardless of whether the UK and the EU strike a trade deal by the end of December, it is unclear whether personal data will be allowed to flow from the EU to the UK on in the same way they did while Britain was part of the union. That question hinges on whether the EU decides to deem the UK’s standard of data protection good enough – and that decision might very well be negative, given European concerns over the UK’s mass surveillance practices and its intelligence-sharing agreements with the US and the rest of the Five Eyes alliance. Until data adequacy is awarded, UK companies that depend heavily on sending and receiving personal data from the EU – in sectors like finance, cloud-computing, e-commerce – will have to resort to alternative arrangements, called standard contractual clauses. The price tag of that additional bureaucracy layer, plus the potential cost of non-compliance, has been estimated at £1.6 billion.
Dominic Hallas, the executive director of British startup trade association Coadec, says that the impending Article 27 conundrum epitomises the complications awaiting several UK companies come January 1. "It goes to show why adequacy is really important – both because lots of startups simply won't have the right standard contractual clauses in place but also because of the additional burden of administration on issues like this,” Hallas says. “The problem is that the average startup still simply doesn't know about this stuff.
Like non-adequacy, Article 27 could become a novel source of annoyance, lurking costs, and – potentially – pettiness. “There’s a risk that this obligation to appoint a representative may be weaponised by EU authorities, if they so choose; and likewise in a reciprocal manner in the UK,” says Kewley. “We are increasingly seeing that data might play a role in a wider trade war between the UK and the EU.” He says that fines might be just one of the possible problems: UK companies that have not appointed a data representative could be issued warnings, reprimands, and other statements of non-compliance; authorities might follow up repeatedly until the problem is not sorted.
And the fate of the wider Brexit process could determine how much unwanted attention British companies get from EU data protection authorities. “If the UK doesn't receive an adequacy decision, and decides to go down the path of exceptionalism, this might be one flash point. The focus on the Article 27 obligation is indicative of a broader trend in the data privacy field,” Kewley says.
In the brewing mess of red-tape and confusion following Brexit, companies such as DataRep – and others that have been mushrooming since GDPR and Brexit rose to the status of familiar locutions – might be the only ones that stand to gain. Well, kind of: theoretically, if a company sanctioned under GDPR fails to pay the fine, data representatives might be asked to foot the bill for their clients. “The designated representative should be subject to enforcement proceeding in the event of non-compliance,” Baines says. “That’s why I wouldn't want to say ‘Yes i am a representative' and then discover the [data] controller takes huge risks with EU citizens' data."
Gian Volpicelli is WIRED's politics editor. He tweets from @Gmvolpi
This article was originally published by WIRED UK